Wednesday, August 22, 2007

Intuit Quicken backdoor encryption key cracked

Turns out there is a 512-bit master encryption key used in all versions of Quicken since 2003 that allows for Intuit to decrypt your data (or potentially allow the Government to do so, as the conspiracy theorists are theorizing)
Pforzheimer acknowledged that there is a way to access encrypted Quicken files without a password, but that the ability is hardly secret. "It's for Quicken users who have forgotten their passwords - and only done when they call customer service or support."

Wonder how good their controls are for authenticating the owner of the files sent to them that they happily decrypt for $10? Or how good their controls are on who has access to the decryption key?  At least they should have disclosed to customers that they had this capability.

I have not found any technical details on the backdoor as it is likely proprietary info that Elcomsoft will use to make money with.

Russian security software firm Elcomsoft announced on Friday that the company's researchers had cracked the master password that secures encrypted Quicken files and which allows the software's developer, Intuit, to retrieve lost passwords.
Elcomsoft cracks Quicken "backdoor"

No comments:

Post a Comment